New features means new bugs

Sometimes new features designed to generate revenue for a company can be rushed and sometimes not enough thought has gone into how to securely implement this new feature into the main web app. What does that usually mean? Bugs! The bigger the company the more products planned on the road map. The bigger the work load the more mistakes that are made.

How a new feature enabled me to bypass ID verification, very easily..

~Enter a new feature~

A new feature was introduced which let page owners publish ads. Let’s get to play.

Straight away I noticed one major problem and that was the fact anyone could purchase ads for any company. It didn’t require me to be a member of this company first, I could simply select any company I wish from a drop down box. However things went from bad to worse very quickly. Upon purchasing ads for my chosen company I was then granted ownership of the company. Wait, really? What?! Could this get worse?

Oh yes.. it can. The second major problem was Sandbox CC details worked when purchasing ads. (4111 1111 1111 1111). This means an attacker could choose any company’s page he wishes, purchase ads using a sandbox CC number, and suddenly they had admin rights, at zero cost. Easy right? After obtaining admin rights I had access to do… well, everything. Edit or remove the page, remove other admins, browse their information etc.

Sean, am I reading that right? That simple?

If the sandbox CC test had failed I would of still continued with a real CC just to see what would happen, because if you don’t try, how will you ever know? (as long as the cost is low!). The fact it allowed me to begin the process for buying ads for a company without even proving my ID is what sparked my curiosity.

Devs.. don’t rush things! Think it through when implementing new features.

And hackers… always be on the look out for new features. Be sure to follow them on twitter, browse news on them weekly, keep up to date with what they are planning on releasing. Also don’t be afraid to spend some $$ when testing features on websites, just don’t spend LOADS. Also I recommend a separate card used just for BB transactions.

~ zseano

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sean (zseano)

UK WebApp Security Researcher. Creator of BugBountyHunter— designed to help people learn and get involved with hacking. zseano.com & bugbountyhunter.com